Increasingly, information of any kind is exchanged among various conversation partners using information processing means; this is the case with electronic mail, for instance, which consists of transmitting files in the form of digital information.
Depending on the nature and/or importance of the information that the file contains, it may be necessary for its issuer, author etc., to be properly identified. It may also be necessary to verify that an authorized person has given his agreement or validated such a file, and do so in a way that is even more certain than with a manuscript or typewritten document. In fact, the author of a typewritten document or any person authorized to act upon such a document can be identified by each handwritten signature attached to it.
The concept of validating a document arises when documents that must be signed or initialized by one or more persons, for instance, to allow the execution of certain actions, are circulated. This is particularly true for official papers, printed administrative or bookkeeping forms, any document giving power of attorney to one or more persons, or any document (such as contracts) used for hiring more than one person.
With a paper document (handwritten or typed) it is relatively easy to learn the identity of its author or of persons who have validated it because each signature is affixed to the paper itself. This is not true for an electronic file. An electronic file is in fact made up of a section of bits having the logical value of "0" or "1". As a result, any indication, attached to such a file, of the identity of its author or of the persons who have validated it, is not sufficient to prove that the file, in the form in which it is at a given moment, is in the same state in which it was when those persons signed or validated it.
This is why the concept has arisen of electronically signing such files, by calculating for each signer, using processing circuits, an electronic signature that is a function of the contents of the file and of at least one parameter specific to a signer or group of signers, and associating each thus-calculated signature with the file. The verification of the identity of a signer consists of recalculating the signature, using the processing circuits, and comparing this recalculated signature with the associated signature.
A person seeking to commit fraud, that is, a person not authorized to sign, cannot modify a file and associate a coherent signature with it, because he does not have control of the parameter or parameters specific to the original signer or signers. Similarly, in a circulation of documents that are to be signed by more than one person, any modification of the file after at least one person has already signed it means that it is impossible to replace each already-calculated signature with a coherent signature.
One such method of calculating and verifying signatures is described in French Patent 2 514 593, corresponding to U.S. Pat. No. 4,656,474, and to European Patent No. 077238.
This method consists of providing each potential signer with a portable object, such as a microprocessor card (also called a chip card), whose memory contains a secret key accessible solely by the processing circuits of the object. The secret key is diversified; that is, it is different from one object or card to another, so that two different cards cannot sign the same message in the same way.
The signature step per se consists of coupling the object to an information processing apparatus (which may be the apparatus in which the file is processed, and/or from which it is transmitted to another apparatus), and signing the file by causing calculation algorithms to run in the apparatus and in the object, such that the signature is a function of the secret key and of the contents of the file.
To prevent the secret key from being divulged outside the object, either the signature is calculated entirely inside the object by its processing circuits or a partial result is calculated by the object and transmitted to the circuits of the processing apparatus, which complete the calculation. Or again, the processing apparatus begins the calculation, for example by using a data compression algorithm, and the object calculates the signature per se. After being calculated, the signature is then transmitted with the file and a datum relating to the identity of the signer.
Verification consists of recalculating the signature of a file, without divulging it, using the processing circuits of an appropriate apparatus, and then comparing this recalculated signature with the one that was attached to the file, and finally indicating only the result of the comparison (i.e., whether or not the signatures match). The recalculation is made possible because the processing circuits of the verification apparatus include an algorithm that enables them first to recalculate, without divulging, the diversified secret key of the signer from the datum relating to his identity, which had been transmitted with the file, and then from that recalculated key, recalculating the signature. The recalculated key is not divulged outside the circuits of the verification apparatus so that its secret nature will be preserved. The recalculated signature is not divulged, to prevent a person observing the verification operations and seeking to commit fraud from attempting to utilize the results of the recalculation for his own benefit.
Nevertheless, known signature methods have the disadvantage, in particular, of requiring the entire file to be handled during the calculation and verification of a signature, which can be a hindrance for various reasons.
A first reason, which is important when the file must be signed by a single person or by more than one person without any of them having made any changes, is that if the file can be very long, thus, the process of calculating and verifying the signature can take an unacceptable amount of time, which conflicts with the information processing goals.
A file contains both sensitive and non-sensitive information. The sensitive information, for example, is that relating to the background; this may involve numerical values when the file is a bookkeeping file, or particular paragraphs in a report or a letter. The nonsensitive information, for example is that relating to form; this involves accompanying texts, for instance, whose presence enriches the file without changing the background, and whose absence or modification is accordingly unimportant.
A second disadvantage applies when more than one person is supposed to sign the file while being authorized to modify certain zones of it or add information. In that case, with the known methods, only the signature of the last signer can be called authentic, since each modification or addition to the file means that the parameters that were used to develop the preceding signatures have been modified.